⬅️ Need help getting started? Check out our guide to Running Your First Scan.
Now that you’ve successfully scanned your application, ensure the scanner is covering your entire attack surface by completing the following checks:
Most modern web applications rely on one or more APIs for communication between the browser and back-end systems. To effectively scan these APIs, provide the scanner with an API definition. StackHawk supports the following technologies:
Check out our video for a quick overview of API scanning:
The OpenAPI Specification (AKA Swagger) is an industry-adopted standard for describing RESTful interfaces, which HawkScan can use to deliver a faster, more thorough scan. If you already have an OpenAPI definition for your REST API, you can add it to your scan configuration by specifying it in your
# in the "app" config... app: openApiConf: # Specify the path relative to the host path: "/openapi.yaml"
If you are working with an internal API or an API without a definition, we’ve compiled some resources on how to generate a definition:
For more information about how to configure HawkScan for your REST API, see HawkScan OpenAPI Configuration.
StackHawk is leading the way in securing GraphQL APIs - our scanner has the capability to perform introspection on your GraphQL API to discover the available operations and generates the corresponding routes to test.
Configure GraphQL in HawkScan using the following
# in the "app" config... app: graphqlConf: enabled: true schemaPath: /graphql # relative path to the introspection endpoint operation: MUTATION requestMethod: GET
For more information about how to configure HawkScan for your GraphQL API, see HawkScan GraphQL Configuration.
SOAP API schemas use XML to define the structure of its operations. The schema is made available through a WSDL file, offering a machine-readable format for how the web service works.
Configure SOAP in HawkScan using the following
# in the "app" config... app: # specify the relative path to an SOAP API WSDL (prefix the path with / to pull from the target host) soapConf: path: soapAPI.wsdl # OR... filePath: /soapAPI/v1?wsdl
For more information about how to configure HawkScan for your SOAP API, see HawkScan SOAP API Configuration.
For paths that can’t be accessed by the HawkScan spider, Seed Paths can be configured in your
stackhawk.yaml to ensure HawkScan finds specific endpoints or routes in your application.
||List of paths to supplement the spider. These paths will be used as additional starting points for crawling your application. Useful for paths that are not crawlable from the root of your application. For example,
# in the "app" config... app: seedPaths: ["/admin","/support"]
Learn more about configuring HawkScan in HawkScan Configuration.